NYDFS Announces New Cybersecurity Requirements for Financial Services Companies

BanksCybersecurityFinancial ServicesInsurance CompaniesNew York StateNew York State Department of Financial Services (NYFDS)
Written By Jason Shoup

On July 29,  the New York State Department of Financial Services (NYFDS) posted a request for public comment on their proposed amendments to their cybersecurity requirements for financial services companies, the Cybersecurity Requirements for Financial Services Companies (Part 500).

Part 500 became effective on March 1, 2017, and applies to New York chartered banks, insurance companies doing business in New York, and financial services firms licensed by the NYDFS (collectively, the “covered entities”).

The Proposed Amendments

New Entity Classification and Requirements

Under the proposed amendments, covered entities that have more than 2,000 employees or a gross annual revenue of more than $1 billion averaged over the last three fiscal years will be defined as the newly created category of “Class A” companies that will be required to:

  • Conduct independent audits of their cybersecurity programs on an annual basis;

  • Conduct systemic scans or reviews on a weekly basis;

  • Monitor privileged account access activity and apply a password vaulting solution that automatically blocks “commonly used passwords,” unless approved by a chief information security officer (CISO) in writing;

  • Allow external risk assessments to be conducted by experts at least once every three years;

  • Implement an endpoint detection and response solution that monitors strange activity, including lateral movement, and provides alerts in the instance of a security event, unless otherwise approved by a CISO in writing.

Additional Board Oversight

The board of directors should be directly involved in the preparation for and resolution of cybersecurity incidents. As such, boards would be required to:

  • Approve cybersecurity policies on an annual basis;

  • Require executive management to develop, implement, and maintain an information security program for the covered entity;

  • Possess sufficient expertise and knowledge, or employ someone to advise them with sufficient expertise and knowledge, to effective exercise oversight of cyber risk;

  • Receive reports, along with senior management of the covered entity, as to any “material gaps” in the covered entity’s cybersecurity practices that are identified during testing.

CISOs

The CISO of a covered entity must:

  • Maintain independence and authority to ensure proper management of the cybersecurity risks;

  • Include in their annual board report any plans for remediating inadequacies in their cybersecurity program and practices as well as any “material cybersecurity issues” that have occurred in the entity’s operations;

  • Review the feasibility of encryption practices and the effectiveness of the compensating controls of the covered entity on an annual basis;

  • Work with the CEO to sign a document certifying the covered entity has complied with the NYDFS cybersecurity regulations on an annual basis. Alternatively, if the covered entity has not complied, the CISO and CEO must identify the regulations that have not been satisfied and the nature and extent of the non-compliance.

NYDFS Notifications

Covered entities would be required to electronically notify the NYDFS Superintendent within 72 hours of:

  • A cybersecurity event that led an unauthorized user to gain access to a “privileged account,” defined as a user or service account that can:

    • Perform security-related functions ordinary users are not authorized to perform, or

    • affect a material change to the technical or business operations of the covered entity, and/or;

    • A cybersecurity event resulting in the deployment of ransomware to a “material” component of the covered entity’s information system.

Additionally, where covered entities incur an extortion payment event made in connection with a cybersecurity event, NYDFS Superintendent must receive:

  • Notice within 24 hours of making an extortion payment, and;

  • A written description of the reason issuance of the extortion payment was deemed necessary, the alternatives that were considered in making that decision, and all diligence that was performed to find an alternative to payment and to ensure compliance with all applicable rules and regulations within 30 days of making the extortion payment.

Compliance Obligations

All covered entities would be required to:

  • Document and maintain asset inventory that tracks key information for each asset;

  • Develop a business continuity and disaster recovery (BCDR) plan that ensures the covered entity can continue to provide services in the event of a cyber emergency or disruption;

  • Provide trainings to all employees responsible for implementing the BCDR and the proper incident response for their role and responsibilities, and;

  • Periodically test their incident response plan, BCDR plan, and back-up utilization to restore systems.

Violations and Penalties

In assessing penalties for violations, the NYDFS must consider:

  • The covered entity’s cooperation in NYDFS’s investigatory efforts;

  • The covered entity’s good faith;

  • Whether the violations were unintentional, inadvertent, reckless, or intentional or deliberate;

  • Whether the violations were a result of the covered entity’s failure to remedy previous examination matters, disciplinary letters, letters of instruction, or otherwise;

  • The covered entity’s history of prior violations;

  • Whether the violation involved is an isolated incident or part of a pattern of repeat or systemic violations;

  • Whether the covered entity provided false or misleading information;

  • The extent of consumer harm;

  • Whether proper disclosures were made to affected consumers;

  • The gravity, number, and length of time over which violations occurred;

  • If any senior governing body participated in committing the violation;

  • Penalties or sanctions being imposed by other regulatory agencies;

  • The financial resources, net worth, and annual business volume of the covered entity and its affiliates, and;

  • Any other matter required by justice and the public interest.

Comments on these proposed amendments were due August 8, but the NYDFS has committed to receiving comments from “interested stakeholders” for a 60-day period that will commence in the next few weeks. If your financial institution might be impacted by these regulations, you should consider submitting comments to NYDFS. For all others, these proposed amendments should serve as notice as to the financial industry’s evolving approach to cybersecurity.

* * * * * * *

To read our coverage on the New York State Supreme Court’s Appellate Division issuing a joint order requiring attorneys that are newly admitted to the New York State Bar to complete cybersecurity continuing legal education,  click here.

For ADCG’s Breach Report and more news updates discussing: the FTC announcing new Data Privacy Rules; Troy Hunt, security researcher, releases new email spamming tool to dupe scammers; and Data Privacy advances in Africa, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Our new podcast episodes are released Thursdays, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!

Jason Shoup
Previous

New Cybersecurity CLE Requirements Announced for New York Attorneys
Next

News Alerts and Breach Report for Week of August 15, 2022